Fortinet FortiAnalyzer Administrator Study Guide for FortiAnalyzer 7.2
816 206 20MB
English Pages [201]
00 SQL and Datasets (supplementary material)
01 Introduction and Initial Configuration
02 Administration and Management
03 RAID and HA
04 Device Management
05 Logs and Reports Management
Recommend Papers
File loading please wait...
Citation preview
DO NOT REPRINT © FORTINET
FortiAnalyzer Administrator Study Guide for FortiAnalyzer 7.2
DO NOT REPRINT © FORTINET Fortinet Training Institute - Library https://training.fortinet.com Fortinet Product Documentation https://docs.fortinet.com Fortinet Knowledge Base https://kb.fortinet.com Fortinet Fuse User Community https://fusecommunity.fortinet.com/home Fortinet Forums https://forum.fortinet.com Fortinet Product Support https://support.fortinet.com FortiGuard Labs https://www.fortiguard.com Fortinet Training Program Information https://www.fortinet.com/nse-training Fortinet | Pearson VUE https://home.pearsonvue.com/fortinet Fortinet Training Institute Helpdesk (training questions, comments, feedback) https://helpdesk.training.fortinet.com/support/home
11/30/2022
DO NOT REPRINT © FORTINET
TABLE OF CONTENTS 00 SQL and Datasets (supplementary material) 01 Introduction and Initial Configuration 02 Administration and Management 03 RAID and HA 04 Device Management 05 Logs and Reports Management
4 38 67 116 140 174
SQL and Datasets
DO NOT REPRINT © FORTINET
This supplemental material aims to provide an overview of SQL and datasets. While teaching SQL in its entirety is out of scope for FortiAnalyzer training, the goal is to provide you with enough information so you can modify or create datasets for the purpose of extracting data for reports.
FortiAnalyzer Administrato 7.2 Study Guide
4
SQL and Datasets
DO NOT REPRINT © FORTINET
These are the topics we will explore in this lesson, beginning with datasets and SQL.
FortiAnalyzer Administrato 7.2 Study Guide
5
SQL and Datasets
DO NOT REPRINT © FORTINET
This section covers datasets. Datasets define what data is extracted from the database and represented in a report’s chart. While FortiAnalyzer does provide pre-defined datasets that address the most common queries, you need to understand Structured Query Language, also known as SQL, in order to modify those datasets or create your own.
FortiAnalyzer Administrato 7.2 Study Guide
6
SQL and Datasets
DO NOT REPRINT © FORTINET
A dataset is an SQL SELECT query. The result from that query—the specific data polled from the database— is what populates a chart. FortiAnalyzer includes many predefined datasets that contain some of the most common database queries. These are available to view from the Datasets page. This is an example of the default Top-Destinations-By-Sessions dataset.
FortiAnalyzer Administrato 7.2 Study Guide
7
SQL and Datasets
DO NOT REPRINT © FORTINET
When you are building your queries, you must use SQL syntax to interface with the database. When creating or editing datasets, there is a Test button where you can test your query. If it is not formed correctly, an error message appears. If it formed correctly, and the data you are querying is available in the database, the results appear. Note that SQL queries are not case-sensitive.
FortiAnalyzer Administrato 7.2 Study Guide
8
SQL and Datasets
DO NOT REPRINT © FORTINET
Now let’s take a closer look at the query itself. In order to understand this example dataset, and more specifically, what it is querying, you need to understand SQL. SQL is what is known as a declarative language—it describes what needs to be done rather then how to do it. In an SQL database all information is represented as tables, each table consists of a set of rows and columns. There are two types of tables: • •
User tables, which contain information that is in the database, and System tables, which contain the database description.
FortiAnalyzer Administrato 7.2 Study Guide
9
SQL and Datasets
DO NOT REPRINT © FORTINET
In order to retrieve and manipulate data in the database, you need to use data manipulation language, which is a family of syntax elements used by SQL. These syntax elements are SELECT, INSERT, UPDATE, and DELETE. These are the first words used in a query—they are the declarative verbs describing what you want done. As far as FortiAnalyzer reports are concerned, only the SELECT statement is used. It is purely a read-only query statement that is used to retrieve data from the database.
FortiAnalyzer Administrato 7.2 Study Guide
10
SQL and Datasets
DO NOT REPRINT © FORTINET
The SELECT statement is used to query the database and retrieve log data. In order to pull the data you want, you must specify the criteria. For example, let’s say you want to query the database for a list of employees who work in the IT department. In order to put this criteria into a language that SQL understands, you must use a clause recognized by the SELECT statement. The main clauses FortiAnalyzer reports use are: • • • • •
FROM, which specifies the table. WHERE, which specifies the conditions. All rows that do not satisfy the condition are eliminated from the output. GROUP BY, which collects data across multiple records and groups the results by one or more columns. ORDER BY, which orders the results by rows. If ORDER BY is not given, the rows are returned in whatever order the system finds the fastest to produce. And finally, LIMIT, which limits the number of records returned based on a specified value. OFFSET is another clause often used along with LIMIT, which offset the results by the number specified. For example, if you place a limit of 3 records and an offset of 1, the first record that would normally be returned is skipped and instead the second, third, and fourth records (3 in total) are returned.
FROM is the only mandatory clause required to form a SELECT statement; the rest of the clauses are optional and serve to filter or limit, aggregate or combine, and control the sort. It is also important to note that the clauses must be coded in a specific sequence. This is to say that following the SELECT keyword, the statement must be followed by one or more clauses in the order they appear in this table provided. For example, you cannot use the WHERE clause before the FROM clause. You do not have to use all optional clauses, but whichever ones you do use they have to be in the correct sequence.
FortiAnalyzer Administrato 7.2 Study Guide
11
SQL and Datasets
DO NOT REPRINT © FORTINET
SELECT is the first word used in any SQL query that involves FortiAnalyzer reports. This is a declarative statement that instructs the program to query the column in the database for the information you want returned. For example: SELECT dstip Dstip is the column name for destination IP in the SQL schema. Note that you can select more than one column name and you can also have the column name appear under a more user friendly name in the results table by appending the command with “as . For example, SELECT dstip as destination_ip. In the results table, the values for dstip will now appear under a column named destination_ip. If you want to return all data, you can use the * symbol. For example, SELECT *. Though most of the time that is more information that you require. At minimum, you must use the FROM clause with your SELECT statement. This instructs the program where the information is located. For example: FROM $log Here $log refers to the logs in the log type selected for the dataset, such as traffic logs or web filter logs to name a few.
FortiAnalyzer Administrato 7.2 Study Guide
12
SQL and Datasets
DO NOT REPRINT © FORTINET
You can search multiple log types in order to combine the data so that you can compare and contrast information. To do this, use the log type syntax associated with the specific log type. For example, if you want to search both the traffic logs and web filter logs, use: FROM $log-traffic, $log-webfilter
FortiAnalyzer Administrato 7.2 Study Guide
13
SQL and Datasets
DO NOT REPRINT © FORTINET
Out of all the optional clauses, the WHERE statement is really the heart of the query, because this is where you specify the criteria. The WHERE statement must always come after the FROM statement. In this example, the first expression is $filter, which is used to restrict the results to the time period you select. While the time period is not added to the query itself, it is specified by way of a drop-down box when creating the dataset through the FortiAnalyzer GUI. The second expression is dstip, which is the destination IP, while the third expression is NULL. SQL supports logic operators as well, so you can use AND/OR/NOT statements in order to build out the query. Operators will be discussed later in this lesson.
FortiAnalyzer Administrato 7.2 Study Guide
14
SQL and Datasets
DO NOT REPRINT © FORTINET
The GROUP BY clause is used to create one output row for each group. It is usually used with an aggregate function within the SELECT statement. We will cover aggregate functions later, but essentially they perform a calculation on a set of values and return a single value. If it is not used with an aggregate function, it is similar to the DISTINCT clause, in that it removes duplicates from the result set of a SELECT statement. In this example, the GROUP BY clause is use with an aggregate function. The aggregate function is count(*), which selects all rows in a table, even if some columns contain a NULL value. In this example, we are grouping by dstip (destination IP).
FortiAnalyzer Administrato 7.2 Study Guide
15
SQL and Datasets
DO NOT REPRINT © FORTINET
ORDER BY is a clause that allows you to sort queries by column name or column number. By default, rows of an SQL query result table are not arranged in a particular order, so you can use the ORDER BY clause to sort column values in either ascending (asc) or descending (desc) order. If you use this clause and do not specify ascending or descending, the default is ascending. You can order multiple columns and specify different sort orders for each. For example, you can sort one column in ascending order and another column in descending order. In this example, we are ordering by session in descending order.
FortiAnalyzer Administrato 7.2 Study Guide
16
SQL and Datasets
DO NOT REPRINT © FORTINET
By default, all results that satisfy the conditions specified in the query are returned. However, if you only want to retrieve a subset of records, you can place a limit on the records returned. To do this, use the LIMIT clause and specify the number of results you want. For example, LIMIT 7. This is a great way of making sure that the query doesn’t use unnecessary CPU or memory, especially if you have a large scale deployment with lots of devices logging to the FortiAnalyzer. You can also combine LIMIT with ORDER BY asc to get the “top results” (or desc for the “bottom results”). In conjunction with the LIMIT clause you can use the OFFSET clause. This offsets the results by a set value. For example, if you place a limit of 7 records and an offset of 1, the first record that would normally be returned is skipped and instead 2 through 8 are returned.
FortiAnalyzer Administrato 7.2 Study Guide
17
SQL and Datasets
DO NOT REPRINT © FORTINET
As we’ve been introducing and explaining the main SQL clauses, we’ve been forming a full dataset query along the way. To visually see how it all ties together, we can use the dataset Test feature in the GUI. The feature is intended to test or modify a query in order to get the specific output you want. Ensure you select the log type for the query. The query uses the generic $log, but it references the log type specified in the Log Type drop-down field (in this example, Traffic). You can enter the specific log type in the query instead (for example, $log-traffic), but should you want to view this query on a different log type later, it’s less risky and easier to change from the Log Type drop-down field than in the actual dataset query itself. On the right side of the dialog box, you must also specify the device or devices on which to use this query. Here, we have specified All Devices. You must also specify a time period for this query. As mentioned earlier, the $filter expression used with our WHERE clause states that we want to limit the results to the time period we specify. The Time Period drop-down box is where we specify this time period. If there is an error in the query, the error message appears in the window below. If the query is correct, the results appear in the window below. Since the results appear in the window below, we know our dataset has been correctly formed.
FortiAnalyzer Administrato 7.2 Study Guide
18
SQL and Datasets
DO NOT REPRINT © FORTINET
Now let’s align the written query with the visual results to fully understand how the query is interpreted by FortiAnalyzer. SELECT dstip as destination_ip, count(*) as session: This says, select the destination IP address and call the column “destination_ip”. Select the count (all data) and call the column “session”. FROM $log: This says, query the traffic log for the data, which is specified in the Log Type drop-down list. WHERE $filter and dstip is not null: This says, limit the results to the time period specified, which is Today according to the selection in the Time Period drop-down list, and only provide destination IP addresses that are not null. Note that “null” represents unknown data—it does not represent zero. GROUP BY dstip: This says, group the results by destination IP. Remember, we specified we wanted dstip put in a column called “destination_ip”. ORDER BY session desc: This says, order the results by session in descending order. Note that the results go from high (200) to low (4). LIMIT 7: This says, only provide the first seven results. OFFSET 1: This says, skip the first result, but still limit the results to the next 7 (i.e. 2 through 8).
FortiAnalyzer Administrato 7.2 Study Guide
19
SQL and Datasets
DO NOT REPRINT © FORTINET
Good job! You now understand datasets and SQL. Now, let’s examine SQL functions and operators.
FortiAnalyzer Administrato 7.2 Study Guide
20
SQL and Datasets
DO NOT REPRINT © FORTINET
This section covers a few of the most common functions and operators used in FortiAnalyzer datasets—it is not intended as a complete and exhaustive list.
FortiAnalyzer Administrato 7.2 Study Guide
21
SQL and Datasets
DO NOT REPRINT © FORTINET
SQL has two types of functions: “normal” functions and aggregate functions. Aggregate functions use the entire column of data as their input and produce a single output, while the “normal” functions operate on each element in the column of data.
FortiAnalyzer Administrato 7.2 Study Guide
22
SQL and Datasets
DO NOT REPRINT © FORTINET
One common function used in FortiAnalyzer datasets is NULLIF. The NULLIF function takes two arguments. If the first two arguments are equal, then NULL is returned. Otherwise, the first argument is returned. Note that NULL represents unknown data—it does not represent zero.
FortiAnalyzer Administrato 7.2 Study Guide
23
SQL and Datasets
DO NOT REPRINT © FORTINET
Another common function used in FortiAnalyzer datasets is COALSECE. The COALESCE function returns the first non-NULL expression among its arguments. Null is returned only if all arguments are null. It is often used to substitute a default value for null values when data is retrieved for display. COALESCE is used with the SELECT statement. It takes one or more expressions as an argument. The values do not have to be string data types—they can be any data type (and also different data types). The syntax is: COALESCE (expression 1, expression 2, …)
FortiAnalyzer Administrato 7.2 Study Guide
24
SQL and Datasets
DO NOT REPRINT © FORTINET
Aggregate functions are a special category with different rules, as they operate on entire columns of data instead of discrete values. These functions perform a calculation on a set of values in a column and returns a single value. Although aggregate functions are usually used in conjunction with the GROUP BY clause, these functions can be used on their own in a SELECT statement. This table includes a list of aggregate functions used in SQL. All can take an expression as an argument and ignore null values, except for count. Count can take an asterisk as an argument. The asterisk in this case means all rows are returned, even if some columns contain a NULL value. An example of an expression used with an aggregate function is SELECT count(unauthuser). This would return the number of unauthorized users.
FortiAnalyzer Administrato 7.2 Study Guide
25
SQL and Datasets
DO NOT REPRINT © FORTINET
Now let’s take a look at SQL operators. An operator is a reserved word or a character used primarily in an SQL statement's WHERE clause to perform various operations. There are three types of operators: • • •
Arithmetic operators Comparison operators Logical operators
FortiAnalyzer Administrato 7.2 Study Guide
26
SQL and Datasets
DO NOT REPRINT © FORTINET
Here are some examples of arithmetic operators. Arithmetic operators perform mathematical operations on two expressions of one or more of the data types of the numeric data type category.
FortiAnalyzer Administrato 7.2 Study Guide
27
SQL and Datasets
DO NOT REPRINT © FORTINET
Here are some examples of comparison operators. Comparison operators test whether two expressions are the same and can be used on all expressions except expressions of the text, ntext, or image data types.
FortiAnalyzer Administrato 7.2 Study Guide
28
SQL and Datasets
DO NOT REPRINT © FORTINET
Here are some examples of logical operators. Logical operators test for the truth of some condition. Like comparison operators, they return a Boolean data type with a value of TRUE, FALSE, or UNKNOWN.
FortiAnalyzer Administrato 7.2 Study Guide
29
SQL and Datasets
DO NOT REPRINT © FORTINET
Good job! You now understand SQL functions and operators. Now, let’s examine FortiAnalyzer functions and macros.
FortiAnalyzer Administrato 7.2 Study Guide
30
SQL and Datasets
DO NOT REPRINT © FORTINET
This section covers FortiAnalyzer functions and macros. FortiAnalyzer includes some built-in functions that are based on known SQL functions, but scripted differently. FortiAnalyzer also includes macros, which are best described as lengthy or complex SQL statements scripted more simplistically. An SQL macro can be used anywhere in a query where an ordinary SQL expression can be used.
FortiAnalyzer Administrato 7.2 Study Guide
31
SQL and Datasets
DO NOT REPRINT © FORTINET
One FortiAnalyzer-specific function is root_domain(hostname). This provides the root domain of the fully qualified domain name. As per the query, in this example root_domain(hostname) is listed under the website column in ascending order (the default for the ORDER BY clause if not specified).
FortiAnalyzer Administrato 7.2 Study Guide
32
SQL and Datasets
DO NOT REPRINT © FORTINET
Another FortiAnalyzer-specific function is nullifna, which takes an expression as an argument. The actual SQL syntax this is based on is SELECT NULLIF(NULLIF(expression, 'N/A'), 'n/a'). In this example, if the user is n/a the source IP is displayed, otherwise it returns the user name. It performs the inverse operation of the COALESCE function. As you can see in the user_src column, there are some IP address and some user names.
FortiAnalyzer Administrato 7.2 Study Guide
33
SQL and Datasets
DO NOT REPRINT © FORTINET
email_domain and email_user are other FortiAnalyzer-specific functions. email_domain retrieves anything that is after the @ symbol in an email address—the domain. email_user retrieves anything that is before the @ symbol in an email address. As per the query, in this example email_user displays in the column e_user, while email_domain displays in the column e_domain.
FortiAnalyzer Administrato 7.2 Study Guide
34
SQL and Datasets
DO NOT REPRINT © FORTINET
from_dtime and from_itime are other FortiAnalyzer-specific functions. from_dtime returns the device timestamp without the time zone, while from_itime returns FortiAnalyzer’s timestamp without the time zone. As per this query, from_itime appears in the column faz_local_time, while from_dtime appears in the column dev_local_time.
FortiAnalyzer Administrato 7.2 Study Guide
35
SQL and Datasets
DO NOT REPRINT © FORTINET
Here are some common date and time macros used in FortiAnalyzer. Macros are simple substitutions for more complex SQL statements—usually created for SQL statements that are frequently used.
FortiAnalyzer Administrato 7.2 Study Guide
36
SQL and Datasets
DO NOT REPRINT © FORTINET
Congratulations! You have completed this lesson.
FortiAnalyzer Administrato 7.2 Study Guide
37
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
In this lesson, you will learn about the key features and concepts of FortiAnalyzer, and how to initially configure FortiAnalyzer. FortiAnalyzer integrates logging, analytics, and reporting into one system so you can quickly identify and react to network security threats.
FortiAnalyzer Administrato 7.2 Study Guide
38
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
In this lesson, you will explore the topics shown on this slide.
FortiAnalyzer Administrato 7.2 Study Guide
39
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in FortiAnalyzer key features and concepts, you will be able to use the device effectively in your own network.
FortiAnalyzer Administrato 7.2 Study Guide
40
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
FortiAnalyzer aggregates log data from one or more Fortinet devices, thereby acting as a centralized log repository. Log aggregation provides a single channel for accessing your complete network data, so you don’t need to access multiple devices several times a day. The logging and reporting workflow operates as follows: 1. Registered devices send logs to FortiAnalyzer. 2. FortiAnalyzer collates and stores those logs in a way that makes it easy to search and run reports. 3. Administrators can connect to FortiAnalyzer using the GUI to view the logs manually, or generate reports to look at the data. You can also use the CLI to perform administrative tasks.
FortiAnalyzer Administrato 7.2 Study Guide
41
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
Some key features of FortiAnalyzer include reporting, alert generation, and content archiving. Reports provide a clear picture of network events, activities, and trends occurring on supported devices. FortiAnalyzer reports collate the information in the logs so that you can interpret the information and, if necessary, take the required actions. You can archive and filter the network knowledge you glean from these reports, as well as mine it for compliance or historical analysis purposes. FortiAnalyzer events allow you to react quickly to threats, because it’s not realistic to physically monitor your network around the clock. The system can generate events when specific conditions in the logs are met— conditions you have configured FortiAnalyzer to monitor for registered devices. You can see your events on the GUI, and you can also send them to multiple recipients by email, SNMP, or syslog. Additionally, events that required further investigation can be used to generate new incidents Content archiving provides a way to simultaneously log and archive full or summary copies of the content transmitted over the network. You typically use content archiving to prevent sensitive information from getting out of your organization's network. You can also use it to record network use. The data loss prevention (DLP) engine can examine email, FTP, NNTP, and web traffic, but you must configure the archive setting for each rule in a DLP sensor on FortiGate, so you can specify what you want to archive.
FortiAnalyzer Administrato 7.2 Study Guide
42
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
SQL is the database language that FortiAnalyzer uses for logging and reporting. Advanced reporting capabilities require some knowledge of SQL and databases. For example, you may need to compose custom SQL queries, known as datasets, to extract the data you require from the database.
FortiAnalyzer Administrato 7.2 Study Guide
43
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
FortiAnalyzer has two modes of operation: analyzer and collector. The mode of operation you choose depends on your network topology and individual requirements. When operating in analyzer mode, the device acts as a central log aggregator for one or more log collectors, such as a FortiAnalyzer device operating in collector mode, or any other supported device sending logs. Analyzer is the default operating mode. When operating in collector mode, the device collects logs from multiple devices and then forwards those logs, in their original binary format, to another device, such as a FortiAnalyzer operating in analyzer mode. It can also send them to a syslog server or a common event format (CEF) server, depending on the forwarding mode. A collector does not have the same feature-rich options as an analyzer, because its only purpose is to collect and forward logs. It does not allow event management or reporting. You can change the operating mode in the System Information widget on the dashboard.
FortiAnalyzer Administrato 7.2 Study Guide
44
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
By using both analyzer and collector modes, you increase FortiAnalyzer performance: Collectors offload the task of receiving logs from multiple devices from the analyzer. This allows the analyzer to focus on data analysis and reporting tasks. Furthermore, because a collector is strictly dedicated to log collection, its log receiving rate and speed are maximized. If bandwidth is an issue, like in the case of slow WAN links, you can use the store and upload option to send logs only during low-bandwidth periods. Since the collector does not perform any analytics tasks, it should have most of the disk space allocated for archive logs.
FortiAnalyzer Administrato 7.2 Study Guide
45
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
FortiAnalyzer supports the Security Fabric by storing and analyzing the logs from the units in a Security Fabric group as if the logs are from a single device. FortiAnalyzer correlates traffic logs to corresponding UTM logs so that it can report sessions and bandwidth together with its UTM threats. A session’s traffic logging is always done by the first FortiGate that handled it in the Security Fabric. FortiGate devices in the Security Fabric know the MAC addresses of their upstream and downstream peers. If FortiGate receives a packet from a MAC address that belongs to another FortiGate in the Security Fabric, it does not generate a new traffic log for that session. This helps to eliminate the repeated logging of a session by multiple FortiGate devices. One exception to this behavior is that if the upstream FortiGate performs NAT, then another log is generated. The additional log is needed to record NAT details such as translated ports and addresses. Upstream devices complete UTM logging, if configured, and FortiAnalyzer performs UTM and traffic log correlation for the Security Fabric, in order to provide a concise and accurate record of any UTM events that may occur. No additional configuration is required for this to take place because FortiAnalyzer performs this function automatically. Note that each FortiGate in the Security Fabric logs traffic to FortiAnalyzer independent of the root or other leaf devices. If the root FortiGate is down, logging from leaf FortiGate devices to FortiAnalyzer continues to function.
FortiAnalyzer Administrato 7.2 Study Guide
46
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
This slide shows how logging functions in the Security Fabric to give full visibility while eliminating duplicate logs throughout the environment. There are three FortiGate devices configured in a Security Fabric along with a FortiAnalyzer device. • FGT-A is installed between the corporate network and its internet service provider where it performs SNAT on outbound communications for RFC-1918 hosts, as well as web filtering for HTTP/HTTPS sessions. • FGT-B is installed in the access layer providing device detection, breach isolation, and basic DoS protection from the attached end-user LANs. • FGT-C is installed in the data center where it runs IPS for all inbound communications to the servers behind it. All traffic from Client-1 is received by FGT-B, which creates traffic logs for the initial session. The web session is forwarded to FGT-A, which doesn’t duplicate the initial traffic log but does generate a traffic log as a result of SNAT being applied to the session. Additionally, FGT-A applies a web filtering policy to this session and generates the relevant UTM logs, if appropriate. The SMB session is forwarded to FGT-A, which does not duplicate the initial traffic log. FGT-A doesn’t need to perform NAT or apply web filtering, so it forwards the traffic to FGT-C. FGT-C also does not generate a duplicate traffic log, but it performs IPS inspection based on its configuration and, should a signature match be triggered that results in an action generating a log, logs the event. FortiAnalyzer receives the various traffic and UTM logs and correlates them automatically so that they are linked for proper viewing, reporting, and automation actions.
FortiAnalyzer Administrato 7.2 Study Guide
47
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
The FortiAnalyzer Fabric enables centralized viewing of devices, incidents, and events across multiple FortiAnalyzers. FortiAnalyzer Fabric includes two operation modes: supervisor and member. Supervisors act as the root device in the FortiAnalyzer Fabric. SOC administrators can use the supervisor to view member devices and their ADOMs, authorized logging devices, as well as incidents and events created on members. Incident and event information is synced from members to the supervisor using the API. Members are devices in the FortiAnalyzer Fabric that send information to the supervisor for centralized viewing. When configured as a member, FortiAnalyzer devices continue to have access to the FortiAnalyzer features identified in the FortiAnalyzer Administration Guide. Incidents and events are created or raised from each member. FortiAnalyzers configured with high availability (HA) can become members. However, HA is not supported for FortiAnalyzers acting as the fabric supervisor. All FortiAnalyzer Fabric members must be configured with the same time zone settings as the supervisor.
FortiAnalyzer Administrato 7.2 Study Guide
48
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
ADOMs allow you to group devices to monitor and manage. For example, administrators can manage devices that are grouped based on their geographical location or business division. The purpose of ADOMs is to: •
•
Divide administration of devices by ADOM and to control (restrict) administrator access. If your network uses virtual domains (VDOMs), ADOMs can further restrict access to data that comes from the VDOM of a specific device. More efficiently manage data policies and disk space allocation, which are set per ADOM
ADOMs are not enabled by default and can be configured only by the default admin administrator (or an administrator who has the super user profile). All Fortinet devices included in a Security Fabric can be placed into an ADOM of the Fabric type, allowing for fast data processing and log correlation. You will learn more about ADOMs later in this course.
FortiAnalyzer Administrato 7.2 Study Guide
49
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
FortiAnalyzer Administrato 7.2 Study Guide
50
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
Congratulations! You have completed this lesson. Now, you will learn to perform the most common initial configurations on FortiAnalyzer.
FortiAnalyzer Administrato 7.2 Study Guide
51
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in the initial configuration of FortiAnalyzer, you will be able to add FortiAnalyzer to your network, and perform basic administrative tasks.
FortiAnalyzer Administrato 7.2 Study Guide
52
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
It is important to know the factory default settings, such as the default username and password, the port1 IP address, the netmask, and the default supported management access protocols, so you can initially connect to the management interface and configure FortiAnalyzer for your network. You can find the default settings in your model-specific QuickStart Guide. Different FortiAnalyzer models have different numbers of ports, but port1 is the management port and always has the same default IP address. If you are deploying the FortiAnalyzer VM, the management IP address and its assignment depend on the virtualization platform you are using. Visit visit https://docs.fortinet.com/product/fortianalyzer-public-cloud/7.0 for more details. You can also configure your management IP on the CLI with the config system interface command.
FortiAnalyzer Administrato 7.2 Study Guide
53
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
Just like with FortiGate, the GUI and CLI are the two configuration tools you can use to manage FortiAnalyzer. You can use both tools locally, by connecting directly to FortiAnalyzer, and remotely, based on your configured settings. You can deny or permit access based on IP address. When you use the CLI, you can run commands through the CLI Console widget, available on the GUI dashboard, and through a terminal emulation application, such as PuTTY. Using PuTTY requires a separate Telnet, SSH, or local console (DB-9) connection. The FortiAnalyzer features available on the GUI and CLI depend on the profile of the administrator logged in and the operation mode of FortiAnalyzer. For example, when operating in collector mode, the GUI doesn’t include FortiView, Fabric View, Report, or FortiSOC. Also, if you are logged in with the Standard_User or Restricted_User administrator profiles, full access privileges, like those granted to the Super_User profile, are not available. The CLI also includes some settings that are not available through the GUI. Any configuration changes you make using the GUI and CLI take effect immediately, without resetting the FortiAnalyzer system or interrupting services. Note that the SQL database is disabled by default when FortiAnalyzer is in collector mode, so logs that require the SQL database are not available in collector mode unless the SQL database is enabled on the CLI.
FortiAnalyzer Administrato 7.2 Study Guide
54
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
To log in to the FortiAnalyzer GUI for the first time, open a browser and enter the URL https:// followed by . After the login screen opens, use the factory default administrator credentials to log in. Type the username admin (in lower case) and leave the password field empty. To log in to the CLI for the first time, you can use one of two methods: • •
Integrated CLI Console: Log in to the GUI and click on the CLI icon located on the upper-right corner. You are automatically logged in to the console. Terminal emulation application (such as PuTTY): Enter the FortiAnalyzer port1 IP address and select a supported management access protocol, such as SSH. When connected and prompted to log in, use the factory default administrator credentials.
FortiAnalyzer Administrato 7.2 Study Guide
55
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
The FortiAnalyzer Setup Wizard appears after you log in for the first time. You can use it to register your FortiAnalyzer device with FortiCare, change the default password, set the correct time zone, and set the device hostname. You can choose to complete all or some of the steps now or at a later time. Completed steps display a green check mark beside them.
FortiAnalyzer Administrato 7.2 Study Guide
56
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
The initial configuration of FortiAnalyzer is very similar to FortiGate. In order to configure FortiAnalyzer for your network, you must set the IP address and netmask, select supported administrative access protocols, and specify a default gateway for routing packets. You can do all this on the Network page.
FortiAnalyzer Administrato 7.2 Study Guide
57
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
Setting your own IP address and netmask provides more security than using the default address and, if more than one FortiAnalyzer is in the same network, different network settings are mandatory. The management interface must have a dedicated (unique) address. There are a few non-standard administrative access protocols that are worth mentioning as well: •
•
Web service: Allows access to FortiAnalyzer from a web service such as SOAP, a messaging protocol that allows programs that run on disparate operating systems (such as Windows and Linux). The FortiAnalyzer server runs on Linux. FortiManager: Allows FortiAnalyzer to be managed by a FortiManager.
FortiAnalyzer Administrato 7.2 Study Guide
58
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
If you want to configure another port on FortiAnalyzer, you can assign specific IPv4 or IPv6 static routes to a different gateway, so that packets are delivered by a different route. If you want to be able to resolve hostnames in the logs, you need a DNS server. The default primary and secondary DNS server addresses are the FortiGuard DNS servers. You can use these addresses, or change them to some other servers of your preference. It is a best practice to have both a primary and secondary servers. Furthermore, response times are a consideration for DNS, so choose DNS servers as close as possible to your network, such as your internet provider’s DNS.
FortiAnalyzer Administrato 7.2 Study Guide
59
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
Many FortiAnalyzer features require an accurate system time to work properly. It is highly recommended to synchronize the system time with a reliable NTP server. This can be done under the System Information widget included on the default dashboard. To increase the bandwidth available to receive logs, and to add network redundancy to FortiAnalyzer, you can configure one or more aggregate links. These are logical links that combine two or more physical interfaces, effectively combining their bandwidth. Additionally, these links will remain active if there is at least one working physical interface, hence adding network redundancy to your device. VLANs are used to isolate different types of traffic in your network. This adds security and, if needed, allows the application of different policies or priorities to that traffic. You can configure VLAN interfaces in FortiAnalyzer to make use of the existing VLANs in your environment.
FortiAnalyzer Administrato 7.2 Study Guide
60
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
If you need to reset your configuration, you can use these commands: •
The execute reset all-settings command erases the show configuration on flash, which contains the IP addresses and routes, while the execute reset all-except-ip command leaves the settings for IP addresses and routes.
•
The execute format disk command erases all device settings, images, databases, and log data on disk, while preserving the IP addresses and routing info. You should always run this command after resetting the configuration.
•
If your environment requires it, you can use the execute format disk deep-erase command to perform a low-level format of the disk one or more times. Keep in mind that this process can take a very long time, even days, depending on the size of the disk being formatted and the number of rounds you specify.
It is a best practice to run these commands while connected directly using the console port to avoid losing access after the configuration is reset.
FortiAnalyzer Administrato 7.2 Study Guide
61
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
You can use the CLI commands shown on this slide to examine or troubleshoot system and network settings on FortiAnalyzer.
FortiAnalyzer Administrato 7.2 Study Guide
62
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
To access and view system-related information, use the diagnose system print commands. For a complete list of arguments, refer to the FortiAnalyzer CLI Reference, which you can obtain from https://docs.fortinet.com.
FortiAnalyzer Administrato 7.2 Study Guide
63
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
FortiAnalyzer Administrato 7.2 Study Guide
64
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
Congratulations! You have completed this lesson. Now, you will review the objectives that you covered in this lesson.
FortiAnalyzer Administrato 7.2 Study Guide
65
Introduction and Initial Configuration
DO NOT REPRINT © FORTINET
This slide shows the objectives that you covered in this lesson.
FortiAnalyzer Administrato 7.2 Study Guide
66
Administration and Management
DO NOT REPRINT © FORTINET
In this lesson, you will learn some administration and management functions you can use to better protect FortiAnalyzer—and the sensitive log data it stores—against external or internal threats.
FortiAnalyzer Administrato 7.2 Study Guide
67
Administration and Management
DO NOT REPRINT © FORTINET
In this lesson, you will learn about the topics shown on this slide.
FortiAnalyzer Administrato 7.2 Study Guide
68
Administration and Management
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in using administrative access controls, you will be able to better safeguard the administration of your FortiAnalyzer device and the sensitive data it collects.
FortiAnalyzer Administrato 7.2 Study Guide
69
Administration and Management
DO NOT REPRINT © FORTINET
For security reasons, one of the first tasks you should perform is to change the default admin password. It is recommended that you do this during the Setup Wizard. You can also change it at any time on the Administrators page by right-clicking the administrator user, and then selecting Change Password. Make sure you enter a secure, strong password. Be aware that there is no password recovery option for FortiAnalyzer! If you forget your password and lose access to FortiAnalyzer, one option is to use the execute migrate command that allows you to load a backup of the configuration. Follow these steps: 1. Perform a factory reset on the VM or device. 2. Run the execute migrate command. 3. Use the default admin account and password (system settings are not restored). The other option is to format the flash and reload the image (from the BIOS configuration menu). This erases the system settings, including the administrative accounts. So, make sure you remember your password or store it in a secure location.
FortiAnalyzer Administrato 7.2 Study Guide
70
Administration and Management
DO NOT REPRINT © FORTINET
You can increase the security of your administrator accounts by configuring a global password policy for all administrators on the Admin Settings page. By default, the password policy is disabled. The policy allows you to set a minimum password length, specify if characters or numbers must be included in the password, and specify the number of days for which a password remains valid. If you do set a password expiry, ensure you adhere to the policy and change the password before it expires because there is no password recovery option.
FortiAnalyzer Administrato 7.2 Study Guide
71
Administration and Management
DO NOT REPRINT © FORTINET
Before reviewing the configuration settings, it is necessary to discuss the importance of security. FortiAnalyzer stores your network log information, so it is vital that you protect your data correctly. Here are some security recommendations: • •
•
•
Deploy FortiAnalyzer in a protected and trusted private network. You should never deploy it outside the network. Always use secure connection methods for administration: HTTPS for the GUI, or SSH for the CLI. Methods like HTTP and Telnet use plain text, and are not secure, so an attacker can use packet-sniffing tools to obtain information useful for breaching your network. Use trusted hosts on your users to allow logins only from specific locations. If you do need to open outside access to the device so that remote FortiGate devices can connect, open only the ports necessary for this. Additional open ports increase your security risk. If you need to open direct login access from the outside, be sure to set up special user accounts for this and open only protocols that are secure. Use a secure password because they are important if you start transmitting traffic over connections that anyone (that is, the internet) could be listening to. Make sure you store your administrator password in a secure place because FortiAnalyzer does not support password recovery.
FortiAnalyzer Administrato 7.2 Study Guide
72
Administration and Management
DO NOT REPRINT © FORTINET
Depending on your deployment, you may want to divide FortiAnalyzer administrative tasks among multiple employees by creating additional administrative accounts. However, every additional individual to which you give administrator access causes linear-to-exponential growth in risk. In order to protect your network, you can control and restrict administrative access using the following methods: • • •
Administrative profiles: Determine the level of access, or privileges, granted Trusted hosts: Determine from where a connection can be established ADOMs: Determine to which devices the administrator will have access to view and manage logs
By giving administrative access to multiple people, and employing methods of control, you can better protect your network.
FortiAnalyzer Administrato 7.2 Study Guide
73
Administration and Management
DO NOT REPRINT © FORTINET
You should never give administrators more privileges than they need to fulfill their role. FortiAnalyzer comes with four preinstalled default profiles that you can assign to other administrative users. Administrator profiles define administrator privileges and are required for each administrative account. The four default profiles are: • • • •
Super_User, which, like in FortiGate, provides access to all device and system privileges. Standard_User, which provides read and write access to device privileges, but not system privileges. Restricted_User, which provides read access only to device privileges, but not system privileges. Access to the Management extensions is also removed. No_Permissions_User, which provides no system or device privileges. Can be used, for example, to temporarily remove access granted to existing admins.
You can assign the default profiles to administrative accounts, or you can modify the individual privileges associated with each default profile. Alternatively, you can create your own custom profiles.
FortiAnalyzer Administrato 7.2 Study Guide
74
Administration and Management
DO NOT REPRINT © FORTINET
In addition to controlling administrative access through administrator profiles, you can further control access by setting up trusted hosts for each administrative user. This restricts administrators to logins from only specific IPs or subnets. You can even restrict an administrator to a single IP address, if you define only one trusted host IP. The trusted hosts you define apply to both the GUI and the CLI when accessed through SSH.
FortiAnalyzer Administrato 7.2 Study Guide
75
Administration and Management
DO NOT REPRINT © FORTINET
Another way you can control administrative access is through ADOMs. Using ADOMs makes device management more effective, because administrators need only to monitor and manage devices in their assigned ADOMs. It also makes the network more secure, because administrators are restricted to only those devices to which they should have access. Administrators who have the Super_User profile have full access to all ADOMs. Administrators with any other profile have access to only those ADOMs to which they are assigned—this can be one or more.
FortiAnalyzer Administrato 7.2 Study Guide
76
Administration and Management
DO NOT REPRINT © FORTINET
Instead of creating local administrators, where logins are validated by FortiAnalyzer, you can configure external servers to validate your administrator logins. RADIUS, LDAP, TACACS+, and PKI can all be used to authenticate administrators.
The image on this slide shows an example of an LDAP server configuration.
FortiAnalyzer Administrato 7.2 Study Guide
77
Administration and Management
DO NOT REPRINT © FORTINET
You can use the Match all users on remote server option to enable administrators to log in to FortiAnalyzer using their credentials on a remote authentication server, such as RADIUS, TACACS+, and LDAP. This option is useful for creating wildcard administrators and removes the need for FortiAnalyzer to store local credentials, because a remote authentication server is being used. This simplifies administration. For example, if an employee leaves the company, their account does not exist on FortiAnalyzer––they exist only as a user on a remote authentication server. If you do not select this option, you must provide a password that is used only if FortiAnalyzer is unable to connect to the authentication server. You can set remote authentication server groups, which are listed as GROUP in the Admin Type drop-down list, to extend administrator access. Usually, you create a wildcard administrator only for a single server. However, if you group multiple servers, you can apply a wildcard administrator to all the servers in the group. If you added an LDAP and RADIUS server to your authentication group and the administrator had login credentials on both servers, then the administrator could authenticate on FortiAnalyzer using either their LDAP or RADIUS credentials. You can group multiple servers of the same type to act as backup—if one server fails, the administrator can still be authenticated by another server in the group. You can add remote authentication server groups using the CLI only. In the example shown on the slide, two existing LDAP servers were added. On the CLI (not shown in the slide), an authentication server group was added and named AuthServers and the servers were added to this group.
FortiAnalyzer Administrato 7.2 Study Guide
78
Administration and Management
DO NOT REPRINT © FORTINET
To add additional security to external administrators, you can configure two-factor authentication. To do this, you need to use FortiAuthenticator and FortiToken. On the FortiAnalyzer side, you need to create a RADIUS server that points to FortiAuthenticator and then create an administrator account that points to the RADIUS server. For more information about configuring external servers and two-factor authentication, see the FortiAnalyzer Administration Guide.
FortiAnalyzer Administrato 7.2 Study Guide
79
Administration and Management
DO NOT REPRINT © FORTINET
In FortiAnalyzer, SAML can be enabled across all Security Fabric devices, enabling smooth movement between devices for the administrator by means of single sign-on (SSO). FortiAnalyzer can play the role of the identity provider (IdP), the service provider (SP), or Fabric SP, when an external identity provider is available.
FortiAnalyzer Administrato 7.2 Study Guide
80
Administration and Management
DO NOT REPRINT © FORTINET
FortiAnalyzer Administrato 7.2 Study Guide
81
Administration and Management
DO NOT REPRINT © FORTINET
Good job! You now understand administrative access controls. Now, you will learn how to monitor administrative events.
FortiAnalyzer Administrato 7.2 Study Guide
82
Administration and Management
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in monitoring administrative events and tasks, you will be able to ensure administrators are operating within their assigned role, thereby mitigating risk to your organization.
FortiAnalyzer Administrato 7.2 Study Guide
83
Administration and Management
DO NOT REPRINT © FORTINET
You can track administrator user sessions, including who is currently logged in and on what trusted host, through the Administrators page. By default, only administrators with Super_User access can see the complete list of administrators. Administrators who are logged in are indicated by a green check mark.
FortiAnalyzer Administrato 7.2 Study Guide
84
Administration and Management
DO NOT REPRINT © FORTINET
FortiAnalyzer audits administrator activity, so you can source changes to an individual. You can view the local event log messages, such as configuration changes and logins, on the Event Log page. To fine-tune the results, you can add filters. For example, to view local events performed by a specific administrative user, filter by user name.
FortiAnalyzer Administrato 7.2 Study Guide
85
Administration and Management
DO NOT REPRINT © FORTINET
The Task Monitor page allows you to view administrator tasks, as well as the progress and status of those tasks.
FortiAnalyzer Administrato 7.2 Study Guide
86
Administration and Management
DO NOT REPRINT © FORTINET
FortiAnalyzer also allows you to monitor FortiGate administrative login activity through FortiView. The Failed Authentication Attempts page shows failed login attempts, and includes the source IP of the login, the login type, the interface, the protocol used, and the number of failed login attempts. The FortiView > System > Admin Logins page (not shown on this slide) shows logins, failed logins, login duration, and configuration changes.
FortiAnalyzer Administrato 7.2 Study Guide
87
Administration and Management
DO NOT REPRINT © FORTINET
Finally, FortiAnalyzer allows you to monitor FortiGate administrative activity using FortiView. The System Events page shows all system and administrator-invoked events. To see more details about an event type, right click on it and select View Related Logs to go to the corresponding section in LogView where more information is available.
FortiAnalyzer Administrato 7.2 Study Guide
88
Administration and Management
DO NOT REPRINT © FORTINET
FortiAnalyzer Administrato 7.2 Study Guide
89
Administration and Management
DO NOT REPRINT © FORTINET
Good job! You now understand how to monitor administrative events and tasks. Now, you will learn about administrative domains, known as ADOMs.
FortiAnalyzer Administrato 7.2 Study Guide
90
Administration and Management
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objective shown in the slide. By demonstrating competence in ADOMs, you will be able to group devices for administrators to monitor and manage. You will also be able to manage data policies and disk space allocation more efficiently.
FortiAnalyzer Administrato 7.2 Study Guide
91
Administration and Management
DO NOT REPRINT © FORTINET
ADOMs are not enabled by default. By default, only administrators with Super_User access can enable and configure ADOMs. You can enable or disable ADOMs in the GUI through System Settings or the CLI with the command config system global. After you enable ADOMs, the system logs you out so it can reinitialize with the new settings. The maximum number of ADOMs you can enable varies by FortiAnalyzer model. After you log in with ADOMs enabled, you must select the ADOM you want to view from the list of configured ADOMs.
FortiAnalyzer Administrato 7.2 Study Guide
92
Administration and Management
DO NOT REPRINT © FORTINET
A global ADOM configuration can operate in either Normal mode, which is the default mode, or Advanced mode. In Normal mode, you cannot assign virtual domains (VDOMs) from the same FortiGate device to multiple FortiAnalyzer ADOMs. You must assign the FortiGate device, and all of its VDOMs, to a single ADOM. In Advanced mode, you can assign VDOMs from the same FortiGate device to multiple FortiAnalyzer ADOMs. This mode allows you to use the FortiView, Event Management, and Reports functions to analyze data for individual VDOMs. Advanced mode results in more complicated management scenarios.
FortiAnalyzer Administrato 7.2 Study Guide
93
Administration and Management
DO NOT REPRINT © FORTINET
The image on this slide shows two scenarios, each consisting of a FortiGate unit with three VDOMs configured. On the top, when using normal mode, is not possible to assign different VDOMs to different ADOMs. On the bottom, when using advanced mode, each VDOM can be assigned to different ADOMs.
FortiAnalyzer Administrato 7.2 Study Guide
94
Administration and Management
DO NOT REPRINT © FORTINET
On the All ADOMs page, you can see all configured ADOMs, as well as the default ADOMs for all nonFortiGate devices. If the default ADOMs do not fit your requirements, you can create your own. The ADOM type you create must match the device type you are planning to add. For example, if you want to create an ADOM for a FortiGate, you must select FortiGate as the ADOM type. By default, the ADOM type is set to Fabric for the root ADOM or when creating new ADOM. During the creation of a new ADOM, you can set the disk quota. This quota is assigned to the ADOM, and not the individual devices added to it. By default, the Maximum Allowed disk quota is set to 50 GB. Note that you cannot delete default ADOMs. You also cannot delete custom ADOMs with assigned devices until you remove all devices from that ADOM.
FortiAnalyzer Administrato 7.2 Study Guide
95
Administration and Management
DO NOT REPRINT © FORTINET
In FortiAnalyzer, all Fortinet devices in a Security Fabric can be placed in the same ADOM. This allows for fast data processing, log correlation and enables combined results to be presented in Device Manager, LogView, FortiView, Incidents & Events/FortiSoC, and Reports panes. After a Fabric ADOM is created, it is listed under the Security Fabric section of All ADOMs.
FortiAnalyzer Administrato 7.2 Study Guide
96
Administration and Management
DO NOT REPRINT © FORTINET
FortiAnalyzer Administrato 7.2 Study Guide
97
Administration and Management
DO NOT REPRINT © FORTINET
Good job! You now understand ADOMs. Now, you will learn how to manage disk quotas.
FortiAnalyzer Administrato 7.2 Study Guide
98
Administration and Management
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in understanding disk quota and how to modify it, you will be able to use disk quotas more effectively in your network.
FortiAnalyzer Administrato 7.2 Study Guide
99
Administration and Management
DO NOT REPRINT © FORTINET
FortiAnalyzer devices have finite disk space. When the allotted log disk space is full, the following occurs: • •
An alert message automatically generates on the Alert Message Console as an event log with the level warning. The oldest logs are overwritten. This is the default setting, but you can adjust this behavior to stop logging when the disk is full instead.
No administrator wants to lose valuable log data and run the risk of noncompliance with regard to data retention. As such, it is vital you know your FortiAnalyzer disk quota, how it is enforced, and what space is reserved and thus not available for storing logs.
FortiAnalyzer Administrato 7.2 Study Guide
100
Administration and Management
DO NOT REPRINT © FORTINET
Disk quota includes: •
Archive logs: These are logs compressed on hard disks and offline.
•
Analytics Logs: These are the logs stored and indexed in the SQL database and online.
Analytic logs indexed in the SQL database require more disk space than Archive logs. The only exception to this rule is when FortiAnalyzer is working in collector mode because the SQL database is not running. An average indexed log is 600 bytes in size, and an average compressed log is only 80 bytes in size. Keep this difference in mind when specifying the storage ratio for Analytics and Archive logs. The default ratio is 70%-30%.
FortiAnalyzer Administrato 7.2 Study Guide
101
Administration and Management
DO NOT REPRINT © FORTINET
By default, each ADOM is allowed 1000 MB (or just under 1 GB) worth of drive space on FortiAnalyzer in order to store log data. However, this number is configurable. You can’t set the minimum below 100 MB, and the maximum depends on the disk space allocation of the specific FortiAnalyzer device. The FortiAnalyzer system reserves between 5% to 20% disk space for compression files, upload files, and temporary report files, leaving about 80% to 95% disk space for allocation to devices. It is important to note that if using RAID, the RAID level determines the disk size and reserved quota level. See the table on the slide for more details.
FortiAnalyzer Administrato 7.2 Study Guide
102
Administration and Management
DO NOT REPRINT © FORTINET
You can obtain your disk log usage, including usage for each ADOM, using the CLI command diagnose log device. The total quota value is determined by subtracting the reserved space from the total system storage. The allocated space is determined by adding the archive and analytics quota for all ADOMs. The used space is determined by adding the archive and analytics logs and all the system files mounted on the drive. You can receive the system file value by using the CLI command diagnose system print df.
FortiAnalyzer Administrato 7.2 Study Guide
103
Administration and Management
DO NOT REPRINT © FORTINET
Note that the License Information widget shows a lower value than the quota. This is because it reports only on the number of logs pushed to FortiAnalyzer on that day. Furthermore, it reports only on the ingress traffic, which is limited to the raw log portion. It doesn’t include the log archive, FortiGate store and upload logs, FortiAnalyzer aggregated logs, or FortiClient logs. The SQL database tables are not included either, because this indexing is done by FortiAnalyzer after the log has been received.
FortiAnalyzer Administrato 7.2 Study Guide
104
Administration and Management
DO NOT REPRINT © FORTINET
Disk quota enforcement is performed by different processes: • • •
The logfiled process enforces the log file size and is also responsible for disk quota enforcement by monitoring the other processes The sqlplugind process enforces the SQL database size The oftpd process enforces the archive file size
logfiled checks the processes every two minutes (unless system resources are high) and estimates the space used by the SQL database. If the disk quota is estimated to be above 95%, FortiAnalyzer removes files as needed until they are down to 85%.
FortiAnalyzer Administrato 7.2 Study Guide
105
Administration and Management
DO NOT REPRINT © FORTINET
Based on your log rate and device usage statistics, you may need to adjust your ADOM disk quota so you don’t lose valuable log data. Always monitor your log rate for each device in the ADOM. If you have a high volume of logs, increase the ADOM quota so the oldest logs are not lost prematurely. Allocating insufficient quota to an ADOM can cause many problems. It can: • • •
Prevent you from reaching your log retention objective Cause unnecessary CPU resources enforcing quota with log deletion and database trims Adversely affect reporting if the quota enforcement acts on analytical data before a report is complete
FortiAnalyzer Administrato 7.2 Study Guide
106
Administration and Management
DO NOT REPRINT © FORTINET
If increasing the disk quota is insufficient based on your monitored log rate, you may need to increase your overall disk space. With FortiAnalyzer VMs, you can dynamically add more disk space to your FortiAnalyzer by using the procedure shown on this slide. With a hardware FortiAnalyzer, you must add one or more disks. If you are using RAID, you will also have to rebuild your RAID array if you add another disk. So, it is important to account for future growth and size correctly from the outset.
FortiAnalyzer Administrato 7.2 Study Guide
107
Administration and Management
DO NOT REPRINT © FORTINET
FortiAnalyzer Administrato 7.2 Study Guide
108
Administration and Management
DO NOT REPRINT © FORTINET
Good job! You now understand disk quotas. Now, you will learn how to back up your FortiAnalyzer and some general best practices.
FortiAnalyzer Administrato 7.2 Study Guide
109
Administration and Management
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown in this slide. By demonstrating competence in performing a system configuration backup and following best practices, you will be able to minimize the downtime in the case of a system failure or accidental misconfiguration.
FortiAnalyzer Administrato 7.2 Study Guide
110
Administration and Management
DO NOT REPRINT © FORTINET
After you have completed your initial configuration, you should back it up as a best practice. You can perform a backup directly on the GUI using the System Information widget. The System Configuration backups contain everything except the actual logs and generated reports. You can backup logs and reports using the GUI (Log View, Reports) or using the CLI with the command execute backup. What does the System Configuration backup include? • • •
System information, such as the device IP address and administrative user information Device list, such as any devices you configured to allow log access Report information, such as any configured report settings, as well as all your custom report details. These are not the actual reports.
You can save the backup file as an encrypted file for additional security. Be aware that you can restore a backup only to the same model and firmware version. Furthermore, if you require assistance from Fortinet Support and your configuration is required to assist with troubleshooting, your backup should not be encrypted. If changes are made to FortiAnalyzer that affect your network negatively, you can restore the configuration from any of your backups. If your FortiAnalyzer is a VM, you can also use VM snapshots.
FortiAnalyzer Administrato 7.2 Study Guide
111
Administration and Management
DO NOT REPRINT © FORTINET
You can schedule your backups and have them stored in a remote server. FortiAnalyzer supports sending its backup files to FTP, SCP and SFTP servers. The destination server must be preconfigured before you can send the files. You must have valid credentials with read-write permissions in the destination folder. This slide shows the commands used to schedule the backup jobs.
FortiAnalyzer Administrato 7.2 Study Guide
112
Administration and Management
DO NOT REPRINT © FORTINET
The following are some best practices for operating FortiAnalyzer: • • • • • •
Always turn off FortiAnalyzer gracefully because not doing so can damage the databases. Have FortiAnalyzer running on an uninterruptable power supply (UPS) to prevent unexpected power-off events. Also ensure your UPS is stable and has sufficient current to ensure expected behavior. For ease of use, save an unencrypted backup to a secure location. You should use an unencrypted backup when dealing with Fortinet Support because it allows for offline access to the database configuration file. Synchronize the time on FortiAnalyzer and all registered devices with an NTP server for correct log correlation. Implement a comprehensive backup plan that includes the configuration and the logs. Increase reliability by configuring high availability (HA) and link aggregation (available on models 2000E and higher, and VMs).
FortiAnalyzer Administrato 7.2 Study Guide
113
Administration and Management
DO NOT REPRINT © FORTINET
Congratulations! You have completed this lesson. Now, you will review the objectives that you covered in this lesson.
FortiAnalyzer Administrato 7.2 Study Guide
114
Administration and Management
DO NOT REPRINT © FORTINET
This slide shows the objectives that you covered in this lesson. By mastering the objectives covered in this lesson, you learned how to use administration and management functions to better defend FortiAnalyzer—and the sensitive log data it stores—against external or internal threats.
FortiAnalyzer Administrato 7.2 Study Guide
115
RAID and HA
DO NOT REPRINT © FORTINET
In this lesson, you will learn how to use RAID and high availability (HA) to make your FortiAnalyzer device more resilient to hardware failures.
FortiAnalyzer Administrato 7.2 Study Guide
116
RAID and HA
DO NOT REPRINT © FORTINET
In this lesson, you will explore the topics shown on this slide.
FortiAnalyzer Administrato 7.2 Study Guide
117
RAID and HA
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve objectives shown on this slide. By demonstrating competence in RAID, you will be able to better safeguard your logs while they are stored locally on FortiAnalyzer.
FortiAnalyzer Administrato 7.2 Study Guide
118
RAID and HA
DO NOT REPRINT © FORTINET
You can protect your logs by using a fault tolerant RAID solution. This improves your log availability should a critical event on your FortiAnalyzer occur. RAID is not supported on all FortiAnalyzer models.
FortiAnalyzer Administrato 7.2 Study Guide
119
RAID and HA
DO NOT REPRINT © FORTINET
Administering and managing your system also includes protecting your log information. This can include introducing redundancy for your log data by making a copy of your logs to act as a backup should your system stops running. The most commonly used method for high performance storage is RAID. You can protect your logs by using a fault tolerant RAID solution. This improves your log availability should a critical event on your FortiAnalyzer occur. However, keep in mind that not all FortiAnalyzer models support RAID. Check your device specifications to verify if RAID is supported. RAID combines two or more physical drives into a single logical drive. RAID enables you to distribute your data among multiple hard drives. RAID distributes data across drives in different ways, referred to as RAID levels. The level you select depends on your goal. Each level provides a different balance of reliability, availability, performance, and capacity. You can configure most devices in many types of RAID arrays. To set up a RAID array, you must have multiple (at least two) drives that are the same size. Note that RAID is not a replacement for backing up your logs. You should still back up your logs, even if you employ RAID.
FortiAnalyzer Administrato 7.2 Study Guide
120
RAID and HA
DO NOT REPRINT © FORTINET
Basic RAID has two types of operation: mirroring and striping. With mirroring, instead of writing the files to a single hard drive, it writes them to another hard drive as well. This way you have a real-time copy of the data. With striping, two or more drives are combined into a single logical drive. When data is stored on the logical drive, it gets split into pieces and distributed across all the physical drives in the array. It is important to note that not all RAID levels operate the same way. Some do only mirroring, others do only striping, and some do both. There are also versions that include distributed parity, which is a way to achieve data redundancy. With distributed parity, parity data is distributed among multiple drives and requires three or more disks (RAID 5 and above). Also, the number of drives that can fail depends on the RAID level. Regardless of the level, too many failed drives results in the loss of data. Depending on the device model, you can build hardware RAID and/or software RAID. Hardware RAID is always recommended because a dedicated controller card handles all the RAID operations faster and more efficiently. Software RAID means that the OS needs to handle all RAID operations on top of all its regular functions. This affects performance; therefore it is not recommended unless it is the only option.
FortiAnalyzer Administrato 7.2 Study Guide
121
RAID and HA
DO NOT REPRINT © FORTINET
Not all FortiAnalyzer models support RAID, so the menu option to configure RAID may not appear on the GUI. Be sure to check the model specifications to see if RAID is supported, and to what level. If RAID is supported, you can configure RAID on the RAID Management page. Supported levels include Linear, RAID 0, RAID 1, RAID 1 + spare, RAID 5, RAID 5 + spare, RAID 6, RAID 6 + spare, RAID 10, RAID 50, and RAID 60.
FortiAnalyzer Administrato 7.2 Study Guide
122
RAID and HA
DO NOT REPRINT © FORTINET
Some common RAID levels are: RAID 0 (striping), RAID 1 (mirroring) and its variants, RAID 5 (distributed parity), RAID 6 (double parity), RAID 50 (striping and distributed parity), and RAID 60 (striping and distributed double parity): •
•
•
•
RAID 0 consists of data split evenly across two or more disks. Speed and performance are the main goals. There is no parity information or data redundancy. This means that there is no fault tolerance; if one disk fails, it affects the entire array and the data is lost. RAID 1 consists of an exact copy of a set of data on two (most common) or more disks. Read performance and reliability are the main goals. RAID 1 includes fault tolerance, so if one disk fails the other one can keep working since it contains a complete copy of the data. RAID 5 consists of block-level striping with distributed parity. Data and parity are striped across three or more disks. This RAID level provides better performance than mirroring as well as fault tolerance. It can withstand the failure of a single drive, as subsequent reads can be calculated from the distributed parity, so that no data is lost. RAID 6 extends RAID 5 by adding another parity block. Accordingly, it consists of block-level striping with two parity blocks distributed across all member disks. It’s more robust than RAID 5, as the system can remain operational even if two disks fail.
FortiAnalyzer Administrato 7.2 Study Guide
123
RAID and HA
DO NOT REPRINT © FORTINET
•
•
•
RAID 10 combines the features of RAID 1 and RAID 0, making sure data is mirrored and spread across multiple disks. RAID 10 balances performance and data security. It's possible to recover data if two drives in a RAID 10 configuration fail, but it's dependent upon which two drives fail. RAID 50 combines block-level striping of RAID 0 with the distributed parity of RAID 5. Write performance is improved over RAID 5 and it provides better fault tolerance than a single RAID 5 level. With this level, one drive from each of the RAID 5 sets can fail. RAID 60 combines block-level striping of RAID 0 with the distributed double parity of RAID 6. Write performance is affected, but the enhanced redundancy provides peace of mind. Dual parity allows the failure of two disks in each RAID 6 array.
For more information about RAID levels, see the FortiAnalyzer Administration Guide. Source: Wikipedia, standard RAID levels, and nested RAID levels
FortiAnalyzer Administrato 7.2 Study Guide
124
RAID and HA
DO NOT REPRINT © FORTINET
On the RAID Management page, you can also view the status of each disk in the RAID array and disk space usage. Disk status can be one of the following: • • • • • •
Ready Rebuilding Initializing Verifying Degraded Inoperable
FortiAnalyzer Administrato 7.2 Study Guide
125
RAID and HA
DO NOT REPRINT © FORTINET
You can view any RAID failures on the Alert Message Console widget on the dashboard. A log message appears in this widget if there are any failures. If a hard disk on a FortiAnalyzer fails, you must replace it. On FortiAnalyzer models that support hardware RAID, you can replace the disk while FortiAnalyzer is still running. This is known as hot swapping. Fortinet supports hot swapping on hardware RAID only. On FortiAnalyzer devices with software RAID you must shut down FortiAnalyzer before exchanging the hard disk.
FortiAnalyzer Administrato 7.2 Study Guide
126
RAID and HA
DO NOT REPRINT © FORTINET
Use the CLI command diagnose system raid status to view the health of the RAID array as well as the health of the individual disks. Use the command diagnose system raid hwinfo to view detailed information about the hardware for the individual disks on FortiAnalyzer. On FortiAnalyzer-VM, only the diagnose system disk usage command is available.
FortiAnalyzer Administrato 7.2 Study Guide
127
RAID and HA
DO NOT REPRINT © FORTINET
FortiAnalyzer Administrato 7.2 Study Guide
128
RAID and HA
DO NOT REPRINT © FORTINET
Good job! You now know how to use RAID to protect the log data. Now, you will learn about using high availability (HA).
FortiAnalyzer Administrato 7.2 Study Guide
129
RAID and HA
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve objectives shown on this slide. By demonstrating competence in the configuration and troubleshooting of HA, you will be able to increase the availability of your FortiAnalyzer implementation.
FortiAnalyzer Administrato 7.2 Study Guide
130
RAID and HA
DO NOT REPRINT © FORTINET
A FortiAnalyzer HA cluster provides the following: • • •
Provides real-time redundancy when the FortiAnalyzer primary device fails. If the primary device fails, another device in the cluster is selected as the primary device. Synchronizes logs and data securely among multiple FortiAnalyzer devices. System and configuration settings applicable to HA are also synchronized. Alleviates the load on the primary device by using secondary devices for processes such as running reports.
A FortiAnalyzer HA cluster can have a maximum of four devices: one primary device with up to three secondary devices. All devices in the cluster must be of the same FortiAnalyzer series and firmware and be visible to each other on the network. All devices must run in the same operation mode: analyzer or collector. Although the available disk space doesn’t need to match, it is important to ensure all cluster members have enough storage for the expected logs. It’s recommended that all members have the same available storage. When using FortiAnalyzer VMs as cluster members, all VMs must be running on the same platform. For example, a VM running on VMware can’t form a cluster with a VM running in KVM. FortiAnalyzer HA implementation works only in networks where Virtual Router Redundancy Protocol (VRRP) is permitted. Therefore, it may not be supported by some public cloud infrastructures. When FortiAnalyzer devices with different licenses are used to create an HA cluster, the license that allows for the smallest number of managed devices is used.
FortiAnalyzer Administrato 7.2 Study Guide
131
RAID and HA
DO NOT REPRINT © FORTINET
In System Settings > HA, use the Cluster Settings section to create or change the HA configuration. To configure a cluster, set the Operation Mode of the primary device to High Availability, and then select the preferred role for the device when it joins the HA cluster. In the Cluster Virtual IP section, you need to select the interface, and type the IP address for which the FortiAnalyzer device is to provide redundancy. Once the cluster is up, the devices sending their logs must point to this IP. By default, the VRRP heartbeat packets are sent to the multicast address 224.0.0.18, and sourced from the primary IP address of the first virtual IP interface configured. From the CLI, you can configure a different interface to send the heartbeats, as well as set it to use unicast. Next, you add the IP addresses and serial numbers of each secondary device to the primary device peer list. The IP address and serial number of the primary device and all secondary devices must be added to each secondary device. Cluster members need to be reachable at these IP addresses for the log synchronization traffic. As shown on this slide and the previous one, these IP addresses don’t have to be on the same subnet as the cluster virtual IP. On the contrary, it is recommended they are on separate subnets. The primary device and all secondary devices must have the same Group Name, Group ID, and Password. The Priority setting is used during the selection of the primary device in the cluster. You can assign a value from 80 to 120, where a higher number has higher priority. The Log Data Sync option is enabled by default. It provides real-time log synchronization among cluster members, after the initial log synchronization.
FortiAnalyzer Administrato 7.2 Study Guide
132
RAID and HA
DO NOT REPRINT © FORTINET
The initial selection of the primary device is based on the preferred rode configured. If the preferred role is Primary, then this device becomes the primary device if it is configured first in a new HA cluster. If there is an existing primary device, then this device becomes a secondary device. The default role is Secondary, so that the device can synchronize with the primary device. A secondary device cannot become a primary device until it is synchronized with the current primary device. In the case of a primary device failure, FortiAnalyzer HA uses the following rules to select a new primary: •
• •
All cluster devices are assigned a priority from 80 to 120. The default priority is 100. If the primary device becomes unavailable, the device with the highest priority is selected as the new primary device. For example, a device with a priority of 110 is selected over a device with a priority of 100. If multiple devices have the same priority, the device whose primary IP address has the greatest value is selected as the new primary device. For example, 123.45.67.124 is selected over 123.45.67.123. If a new device with a higher priority or a greater value IP address joins the cluster, the new device does not replace (or pre-empt) the current primary device automatically.
By default, the only parameter checked to trigger an automatic failover is the network reachability among the cluster members. You can optionally configure HA to check the status of the Postgres database process to initiate a failover if that process stops working. This is done from the CLI with the command set healthcheck DB, under the system ha configuration mode.
FortiAnalyzer Administrato 7.2 Study Guide
133
RAID and HA
DO NOT REPRINT © FORTINET
To ensure logs are synchronized among all HA devices, FortiAnalyzer HA synchronizes logs in two states: initial synchronization and real-time synchronization. Initial synchronization: The primary device synchronizes its logs with new devices added to the cluster. After initial synchronization is complete, the secondary device automatically reboots and rebuilds its log database with the synchronized logs. You can see the status in the Cluster Status pane Initial Logs Sync column Real-time synchronization: After the initial log synchronization, the HA cluster goes into the real-time log synchronization state. Log Data Sync is enabled by default for all devices in the HA cluster. When Log Data Sync is enabled in the primary device, the primary device forwards logs in real time to all secondary devices. This ensures that the logs in the primary and secondary devices are synchronized. If the primary device fails, the secondary device selected to be the new primary device continues to synchronize logs with secondary devices. If you want to use a FortiAnalyzer device as a standby device (not as a secondary), then you don't need real-time log synchronization, so you can disable Log Data Sync. Configuration synchronization provides redundancy and load balancing among the cluster devices. A FortiAnalyzer HA cluster synchronizes the configuration of the following modules to all cluster devices: • Device Manager • Incidents and Events • Reports • Most System Settings FortiAnalyzer HA synchronizes most system settings in the HA cluster. The table on this slide shows some of the settings that are synchronized. Refer to the FortiAnalyzer Administration Guide for the complete list.
FortiAnalyzer Administrato 7.2 Study Guide
134
RAID and HA
DO NOT REPRINT © FORTINET
The FortiAnalyzer HA cluster can also balance the load and improve overall performance. Load balancing enhances the following modules: • Reports • FortiView When generating multiple reports, the loads are distributed to all HA cluster devices in a round-robin fashion. When a report is generated, the report is synchronized with other devices so that the report is visible on all HA device members. Similarly, for FortiView, cluster devices share some of the load when these modules generate output for their widgets. Like upgrading the firmware of a standalone FortiAnalyzer device, normal FortiAnalyzer operations may cause temporary interruptions while the cluster firmware upgrades. Because of these interruptions, you should upgrade the cluster firmware during a maintenance period. The steps to upgrade HA cluster firmware are shown on this slide. Note that you might not be able to connect to the FortiAnalyzer GUI until the upgrade synchronization process is complete. During the upgrade, using SSH or Telnet to connect to the CLI might be slow. If necessary, use the console to connect to the CLI.
FortiAnalyzer Administrato 7.2 Study Guide
135
RAID and HA
DO NOT REPRINT © FORTINET
The Cluster Status pane monitors the status of FortiAnalyzer devices in an HA cluster. This pane displays information about the role of each cluster device, the HA status of the cluster, and the HA configuration of the cluster. The following information is displayed: • Role • Serial Number • IP • Host Name • Uptime/Downtime • Initial Logs Sync • Configuration Sync • Message You can use the CLI command diagnose ha status to display the same HA status information. This slide also shows other useful CLI diagnosis commands to monitor and troubleshoot HA. The image on the slide is only for demonstration purposes. It was intentionally taken on a misconfigured HA cluster to illustrate some errors you might experience in a similar case.
FortiAnalyzer Administrato 7.2 Study Guide
136
RAID and HA
DO NOT REPRINT © FORTINET
FortiAnalyzer Administrato 7.2 Study Guide
137
RAID and HA
DO NOT REPRINT © FORTINET
Congratulations! You have completed this lesson. Now, you will review the objectives that you covered in this lesson.
FortiAnalyzer Administrato 7.2 Study Guide
138
RAID and HA
DO NOT REPRINT © FORTINET
This slide show the objectives that you covered in this lesson. You learned how to use RAID and high availability (HA) to make your FortiAnalyzer device more resilient against hardware failures.
FortiAnalyzer Administrato 7.2 Study Guide
139
Device Management
DO NOT REPRINT © FORTINET
In this lesson, you will learn how to register devices on FortiAnalyzer for log collection, as well as how to troubleshoot communication between FortiAnalyzer and its registered devices.
FortiAnalyzer Administrato 7.2 Study Guide
140
Device Management
DO NOT REPRINT © FORTINET
In this lesson, you will explore the topics shown on this slide.
FortiAnalyzer Administrato 7.2 Study Guide
141
Device Management
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in device registration, you will be able to configure FortiAnalyzer to collect logs from registered devices.
FortiAnalyzer Administrato 7.2 Study Guide
142
Device Management
DO NOT REPRINT © FORTINET
For FortiAnalyzer to start collecting logs from a device, that device must become a registered device on FortiAnalyzer. To FortiAnalyzer, there are only two types of devices: those that are registered and those that are unregistered. A registered device is one that has been authorized to store logs on FortiAnalyzer, whereas an unregistered device is one that is requesting to store logs on FortiAnalyzer. There are four ways you can register a device with FortiAnalyzer. The first method involves a request for registration from a supported device. When the FortiAnalyzer administrator receives that request, the request is accepted (though it can be denied). The second method involves the FortiAnalyzer Add Device wizard. The device can be added based on its serial number. If the device is supported, and all the details of the device are correct, the device becomes registered.
FortiAnalyzer Administrato 7.2 Study Guide
143
Device Management
DO NOT REPRINT © FORTINET
The third method also involves the FortiAnalyzer Add Device wizard. The device is added using a pre-shared key. After the device is configured and the correct pre-shared key is added, it is automatically registered. The pre-shared key needs to be added from the device CLI. Note that only FortiGate devices can be added using this method.
FortiAnalyzer Administrato 7.2 Study Guide
144
Device Management
DO NOT REPRINT © FORTINET
The fourth method uses the Fortinet Security Fabric authorization process. This method requires that both FortiGate and FortiAnalyzer are running version 7.0.1 or higher. It is also required that the FortiGate administrator has valid credentials to log in on FortiAnalyzer and complete the registration.
FortiAnalyzer Administrato 7.2 Study Guide
145
Device Management
DO NOT REPRINT © FORTINET
There are two ways to initiate a request from a FortiGate device. In the first method, FortiGate requests registration on FortiAnalyzer by enabling remote logging and specifying the FortiAnalyzer IP. This is done from the Log & Report section as shown on this slide. After clicking Apply, and if the request reaches the FortiAnalyzer successfully, you receive a warning asking you to confirm the serial number of the FortiAnalyzer to verify it is the correct one. Note that if you click Test Connectivity, you see the connection status as Unauthorized. This is because the FortiAnalyzer administrator has not yet accepted the request to register. At this stage, FortiGate is still an unregistered device. After the request is made by the supported device, it automatically appears under the root ADOM in Device Manager. The FortiAnalyzer administrator should review the details of the unauthorized device and, if satisfied, authorize the device. During acceptance of the registration request, if ADOMs are enabled, you have the option of keeping FortiGate in the root ADOM, or adding it to any custom FortiGate ADOMs you may have configured, as illustrated on this slide.
FortiAnalyzer Administrato 7.2 Study Guide
146
Device Management
DO NOT REPRINT © FORTINET
Using this method, the FortiGate administrator enables the Security Fabric. By enabling the Security Fabric, FortiAnalyzer Logging is enabled by default. By configuring the FortiAnalyzer IP on the upstream FortiGate, all the FortiGate devices connected to the upstream FortiGate through the Security Fabric receive the configuration for FortiAnalyzer, and all the FortiGate devices connected through the Security Fabric request registration on FortiAnalyzer. Like in the previous method, after clicking Apply you receive a warning asking you to confirm the serial number of the FortiAnalyzer to verify it is the correct one. Note that if you click Test Connectivity, you see the connection status as Unauthorized. This is because the FortiAnalyzer administrator has not yet accepted the request to register. At this stage, FortiGate is still an unregistered device. After the request is made by the supported device, it automatically appears under the root ADOM in Device Manager. The FortiAnalyzer administrator should review the details of the unauthorized device and, if satisfied, authorize the device. During acceptance of the registration request, if ADOMs are enabled, you have the option of keeping FortiGate in the root ADOM or adding it to any custom FortiGate ADOMs you may have configured. This was illustrated on the previous slide. Note that it is recommended to add all the FortiGate devices connected through the Security Fabric under one ADOM. However, it is possible to separate the FortiGate devices and assign them to different ADOMs.
FortiAnalyzer Administrato 7.2 Study Guide
147
Device Management
DO NOT REPRINT © FORTINET
With this method, you use the device registration wizard in the FortiAnalyzer Device Manager. The FortiAnalyzer administrator proactively initiates, and ultimately performs, the registration. The administrator must have the specific serial number of the device that is to be registered. If the device information is verified, the status reads “Device is added successfully”, and the device appears under Device Manager. If ADOMs are enabled, the device is automatically registered to its device-specific ADOM. However, if you’ve already created a custom ADOM and want to add the device directly to that ADOM instead, switch to the ADOM before adding a device using the wizard.
FortiAnalyzer Administrato 7.2 Study Guide
148
Device Management
DO NOT REPRINT © FORTINET
With this method, you also use the Add Device wizard in the FortiAnalyzer Device Manager. The FortiAnalyzer administrator proactively initiates, and ultimately performs, the registration. The administrator must set a pre-shared key and fill in the other details about the device that is to be registered, such as the device model. If the device information is verified, the status reads “Device is added successfully”, and the device appears under Device Manager. If ADOMs are enabled, the device is automatically registered to its device-specific ADOM. However, if you’ve already created a custom ADOM and want to add the device directly to that ADOM instead, switch to the ADOM before adding a device using the wizard. The pre-shared key needs to be added from the device CLI to finish the process.
FortiAnalyzer Administrato 7.2 Study Guide
149
Device Management
DO NOT REPRINT © FORTINET
To use this method, you first configure FortiAnalyzer to accept authorizations through fabric connectors. You must type which IP and port are to be used to receive the requests. By default, port 443 is used. Next, the FortiGate administrator enables the Security Fabric to use FortiAnalyzer for logging, and then initiates the authorization process from the FortiAnalyzer Status window. The FortiGate administrator must have valid credentials on FortiAnalyzer to complete the registration process. This is done by clicking Approve in the Fortinet Security Fabric window.
FortiAnalyzer Administrato 7.2 Study Guide
150
Device Management
DO NOT REPRINT © FORTINET
After you register various Fortinet devices, they appear on the Device Manager tab for that ADOM. You can also view details about the log status and used storage for that ADOM. Unregistered devices appear under the root ADOM only until they are registered and assigned to an ADOM.
FortiAnalyzer Administrato 7.2 Study Guide
151
Device Management
DO NOT REPRINT © FORTINET
By default, all registered devices are included in a default device group. You can create custom device groups for better organization and more efficient management of those devices. For example, you can create custom groups based on physical location and functionality. Additionally, if your environment justifies it, device groups can be nested. For example, a device group named Canada_Offices, can contain a nested group for each one of the locations in your network. Spaces are not allowed in the names of custom device groups.
FortiAnalyzer Administrato 7.2 Study Guide
152
Device Management
DO NOT REPRINT © FORTINET
When a FortiGate device is registered, FortiAnalyzer automatically has permission to collect the following types of logs, if they are enabled on FortiGate: • • • •
Logs: This log type details information about traffic, events, and security. DLP Archive: This log type details information about any sensitive data trying to get in or out of your network. Quarantine: This log type details files that have been placed into quarantine by the device sending the logs. IPS Packet Log: This log type details information about network packets containing the traffic matching IPS signatures.
FortiAnalyzer Administrato 7.2 Study Guide
153
Device Management
DO NOT REPRINT © FORTINET
FortiAnalyzer Administrato 7.2 Study Guide
154
Device Management
DO NOT REPRINT © FORTINET
Good job! You now understand how to register a device. Now, you will learn about ways to troubleshoot communication issues between FortiAnalyzer and your registered devices.
FortiAnalyzer Administrato 7.2 Study Guide
155
Device Management
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objective shown on this slide. By demonstrating competence in communication troubleshooting, you will be able to efficiently troubleshoot issues that could prevent log collection.
FortiAnalyzer Administrato 7.2 Study Guide
156
Device Management
DO NOT REPRINT © FORTINET
This slide shows some basic CLI commands that you can use to check system status, performance, and hardware statistics.
FortiAnalyzer Administrato 7.2 Study Guide
157
Device Management
DO NOT REPRINT © FORTINET
When using the get system status command to troubleshoot system issues, the following information can be helpful: • • •
• •
Version: Ensure the FortiAnalyzer firmware version is compatible with the device you are registering (see the FortiAnalyzer Release Notes for supported firmware versions). Admin Domain Configuration: Ensure ADOMs are enabled if attempting to register a non-FortiGate device. Current Time: Ensure your date and time is set according to your needs. For many features to work, including scheduling, logging, and SSL-dependent features, the FortiAnalyzer system time must be accurate. While you can manually set the date and time, it is recommended that you synchronize with a Network Time Protocol (NTP) server. Disk Usage: Ensure you have enough free disk space to accept and store logs from registered devices. License Status: Ensure you have a valid licence. This is for a VM only.
FortiAnalyzer Administrato 7.2 Study Guide
158
Device Management
DO NOT REPRINT © FORTINET
When using the get system performance command to troubleshoot system issues, look at the used space for CPU, memory, hard disk, and flash disk. If any of these are nearing capacity, you may experience issues with log collection. The used capacity need not be 100% before you experience problems. For example, the space assigned to a hard disk quota is not fully available for logs, because some of it is reserved for system usage and unexpected quota overflow. For FortiAnalyzer VMs, note that a minimum of 8 GB is recommended for the memory.
FortiAnalyzer Administrato 7.2 Study Guide
159
Device Management
DO NOT REPRINT © FORTINET
The diagnose hardware info command provides useful details about CPU, memory (RAM), and disks. The memory and RAID sections can be very useful while troubleshooting system issues. The Memory info section provides a more granular breakdown of the memory than what is provided by the get system performance command. For example, the total memory from get system performance includes the total memory plus the swap memory. The diagnose hardware information command shows a more detailed breakdown of all memory components. Swap memory refers to the disk space available to use when the physical memory is full, and the system requires more memory. For a temporary period, inactive pages in memory are moved to the swap space. If RAID is enabled and being used as a high-performance storage solution, the RAID level impacts the determination of disk size and reserved quota level.
FortiAnalyzer Administrato 7.2 Study Guide
160
Device Management
DO NOT REPRINT © FORTINET
This slide shows the FortiAnalyzer CLI commands you can run to discover which devices and IPs are connecting to FortiAnalyzer, which ADOMs are enabled and configured, and which devices are currently registered and unregistered.
FortiAnalyzer Administrato 7.2 Study Guide
161
Device Management
DO NOT REPRINT © FORTINET
If you are experiencing communication issues between other devices and FortiAnalyzer, first ensure that both devices can reach each other. Use the execute ping CLI command on either device to verify reachability (ping must be enabled and allowed by all intermediate firewalls). You can also run sniffers on both devices to see if packets that leave FortiGate are reaching FortiAnalyzer. If packets are leaving FortiGate, but not reaching FortiAnalyzer, look at other devices in the network, because an intermediate router or firewall may be blocking the traffic or routing it inappropriately. Other areas to check: • • • •
Is FortiGate configured for remote logging to FortiAnalyzer? Is the FortiAnalyzer source IP set on FortiGate? This is important if FortiAnalyzer is accessed over a VPN that only allows a specific subnet. Are the logging filters for logs sent to FortiAnalyzer enabled on FortiGate? Is FortiGate capable of generating logs and can FortiAnalyzer receive them? If you don’t see any logs on FortiGate, you must examine the logging issue on FortiGate before proceeding with troubleshooting the FortiAnalyzer side.
FortiAnalyzer Administrato 7.2 Study Guide
162
Device Management
DO NOT REPRINT © FORTINET
You can use the following commands at the same time to troubleshoot communication issues: Step one: Run the diagnose debug application oftpd 8 command on FortiAnalyzer to view current log activity Step Two: Run the diagnose log test command on FortiGate to send some test logs to FortiAnalyzer: Step Three: Review the output shown on this slide. If everything is working as expected and logs are being received, you should see some entries on the FortiAnalyzer side.
FortiAnalyzer Administrato 7.2 Study Guide
163
Device Management
DO NOT REPRINT © FORTINET
If FortiAnalyzer becomes unavailable to a FortiGate device for any reason, the FortiGate uses its miglogd process to cache the logs. There is a maximum value to the cache size, and the miglogd process drops cached logs starting with the oldest ones first. When the connection between the two devices is restored, the miglogd process begins to send the cached logs to FortiAnalyzer. The FortiGate buffer keeps logs long enough to sustain a reboot of your FortiAnalyzer (if you are upgrading the firmware, for example). This is not intended for a lengthy FortiAnalyzer outage. On FortiGate, the CLI command diagnose test application miglogd 6 displays statistics for the miglogd process, including the maximum cache size, and current cache size. The CLI command diagnose log kernel-stats shows an increase in failed-log if the cache is full and needs to drop logs. FortiGate devices with an SSD disk have a configurable log buffer. When the connection to FortiAnalyzer is unreachable, FortiGate can buffer logs on disk if the memory log buffer is full. The logs queued on the disk buffer can be sent successfully once the connection to FortiAnalyzer is restored.
FortiAnalyzer Administrato 7.2 Study Guide
164
Device Management
DO NOT REPRINT © FORTINET
FortiAnalyzer Administrato 7.2 Study Guide
165
Device Management
DO NOT REPRINT © FORTINET
Good job! You now understand how to troubleshoot communication issues. Now, you will learn how to manage registered devices.
FortiAnalyzer Administrato 7.2 Study Guide
166
Device Management
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in moving devices between ADOMs and adding FortiGate devices members of HA clusters, you will be able to manage registered devices effectively in your network.
FortiAnalyzer Administrato 7.2 Study Guide
167
Device Management
DO NOT REPRINT © FORTINET
You can move devices between ADOMs after registration on the All ADOMs page. While you shouldn’t move devices between ADOMs unless you have to, one such use case is if you have a mix of low-volume and high-volume log rates in one ADOM. In this situation, it is recommended that you place low-volume log rate devices in one ADOM and high-volume log rate devices in another ADOM. This prevents quota enforcement from adversely affecting low-volume log devices. You can move devices between ADOMs by editing the custom ADOM you want to add the device to, and then selecting the device(s) to add to it. Note that you do not need to move devices into a new ADOM if you upgrade your FortiGate firmware.
FortiAnalyzer Administrato 7.2 Study Guide
168
Device Management
DO NOT REPRINT © FORTINET
There are some important considerations when moving devices between ADOMs, especially if logs are already being collected for the device you are moving: • •
•
What is the disk quota of the new ADOM? Ensure the new ADOM has enough space. Are the device analytics logs required for reports in the new ADOM? If so, you must rebuild the new ADOM SQL database. When you move a device, only the archive logs (compressed logs) are migrated to the new ADOM. The analytics logs (indexed logs) stay in the old ADOM until you rebuild the database. Do you want to see the device analytics logs in the old ADOM? If no, you need to rebuild the old ADOM SQL database. Otherwise, they are removed according to the data policy.
FortiAnalyzer Administrato 7.2 Study Guide
169
Device Management
DO NOT REPRINT © FORTINET
FortiAnalyzer automatically discovers if a FortiGate device is in an HA cluster (this is also true for some other Fortinet devices). However, if you register your device with FortiAnalyzer before adding it to a cluster, you can manually add the cluster within FortiAnalyzer. With an HA cluster, the only device that communicates with FortiAnalyzer is the primary device in the cluster. The other devices send their logs to the primary, which then forwards them to FortiAnalyzer. To enable a cluster, edit the registered device on FortiAnalyzer in Device Manager and enable the HA Cluster option. You can either add existing devices to the cluster, or manually enter the serial numbers associated with each device. FortiAnalyzer distinguishes different devices by their serial numbers, which are found in the headers of all the different log messages it receives.
FortiAnalyzer Administrato 7.2 Study Guide
170
Device Management
DO NOT REPRINT © FORTINET
FortiAnalyzer Administrato 7.2 Study Guide
171
Device Management
DO NOT REPRINT © FORTINET
Congratulations! You have completed this lesson. Now, you will review the objectives that you covered in this lesson.
FortiAnalyzer Administrato 7.2 Study Guide
172
Device Management
DO NOT REPRINT © FORTINET
This slide shows the objectives that you covered in this lesson. By mastering the objectives covered in this lesson, you learned how to add, manage, and maintain devices in your network.
FortiAnalyzer Administrato 7.2 Study Guide
173
Logs and Reports Management
DO NOT REPRINT © FORTINET
In this lesson, you will learn how to protect and manage logs on FortiAnalyzer. You will also learn about basic report concepts and common report management tasks.
FortiAnalyzer Administrato 7.2 Study Guide
174
Logs and Reports Management
DO NOT REPRINT © FORTINET
In this lesson you will explore the topics shown on this slide.
FortiAnalyzer Administrato 7.2 Study Guide
175
Logs and Reports Management
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in understanding the log file workflow, and the different ways you can protect your log data, you will be able to meet organizational and legal requirements for logs..
FortiAnalyzer Administrato 7.2 Study Guide
176
Logs and Reports Management
DO NOT REPRINT © FORTINET
When registered devices send logs to FortiAnalyzer, logs enter the following automatic workflow: 1. Logs received are decompressed and saved in a log file on the FortiAnalyzer disk. The log file has the extension .log. For example, FortiGate logs are saved with the names tlog.log and elog.log, for traffic and event logs respectively. Note that FortiGate security logs are included in the tlog.log file. 2. The saved logs are simultaneously indexed in the SQL database to support analysis. Logs in the indexed phase are known as analytics logs. These logs are considered online and offer immediate analytic support. You can view these logs using Log View, FortiView, FortiSoC, and Reports. Analytics logs are purged from the SQL database as specified in the ADOM data policy. 3. Eventually, when the log file reaches a configured size, or at a set schedule, it is rolled over. The process of rolling over consists of renaming the file adding a timestamp, and then compressing it, which adds the .gz extension. These files are known as archive logs and are considered offline so they don’t offer immediate analytic support. Combined, they count toward the archive quota and retention limits, and they are deleted based on the ADOM data policy. You can view these logs using Log Browse.
FortiAnalyzer Administrato 7.2 Study Guide
177
Logs and Reports Management
DO NOT REPRINT © FORTINET
RAID should not be considered a replacement for backing up your logs. You can back up your logs through the GUI or CLI. • • •
Log View allows you to download a specific filtered view. Log Browse allows you to download rolled logs. FortiAnalyzer also provides the option to upload logs to an FTP, SFTP, or SCP server on a scheduled basis. The CLI command execute backup logs sends everything to whatever device or devices you specify. The data is compressed before being sent, so the transfer doesn’t begin instantaneously. The device needs to process the logs and store them in an archive, which can take some time. This bulk data dump may include a lot of data, so make sure your server has enough disk space.
You can restore logs using the GUI and the CLI.
FortiAnalyzer Administrato 7.2 Study Guide
178
Logs and Reports Management
DO NOT REPRINT © FORTINET
Storage connectors allow you to back up data (rolled logs) to public cloud accounts in Amazon S3, Microsoft Azure, and Google Cloud. Support for this feature requires you to configure the following components on FortiAnalyzer: • Create a fabric connector for Amazon S3, Microsoft Azure, or Google Cloud. • Configure cloud storage. Fabric connectors also enable FortiAnalyzer to send notifications to ITSM platforms when a new incident is created or for any subsequent updates. This approach is more efficient than third-party platforms polling information from the FortiAnalyzer API at predefined intervals, which could result in FortiAnalyzer performance degradation. Security Fabric connectors enrich incident response-related actions available on FortiSOC.
FortiAnalyzer Administrato 7.2 Study Guide
179
Logs and Reports Management
DO NOT REPRINT © FORTINET
In order to send logs to cloud platforms, you must buy a separate license for the Storage Connector Service. This license includes: • Storage limitation: amount of data that can be uploaded to the cloud platform. • Expiry date: the date up to which the storage data can be sent. Normally valid for one year. This license does not include the storage used on the cloud provider. It includes only the amount of data that you can transfer. To configure this feature, you must have an account with permissions to access the cloud storage. Refer to the FortiAnalyzer Administration Guide for more details. Note that if uploaded logs reach data storage limitations before the license expires, you must renew the license in order to continue to use this service. After the license is uploaded, you can enable the Upload logs to cloud storage feature under System Settings > Device Log Settings, and then select the cloud storage platforms that the data will be sent to. You can use the diagnose fmupdate dbcontract fds command to find out about the license validity and expiry details. The diagnose test application uploadd 63 command gives details, such as usage quota, total data upload in GB, total number of files uploaded, number of days remaining until license expiry, and number of uploaded requests that were dropped.
FortiAnalyzer Administrato 7.2 Study Guide
180
Logs and Reports Management
DO NOT REPRINT © FORTINET
To protect your logs during log delivery, you can add redundancy to your environment. In a FortiGateFortiAnalyzer environment, there are a few options. One option is to configure a FortiAnalyzer HA cluster. FortiAnalyzer HA provides real-time redundancy when a FortiAnalyzer primary device fails. If the primary device fails, another device in the cluster is selected as the primary device. It synchronizes logs and data securely among multiple FortiAnalyzer devices. System and configuration settings applicable to HA are also synchronized. It also provides load balancing for processes, such as running reports. The second option is to configure FortiGate to send an identical set of logs to a second logging server, such as a second FortiAnalyzer or a syslog. Note that this increases the load on the FortiGate device because the log daemon must handle an additional TCP connection to the second log device. However, with proper system sizing, this additional load is not a factor. This option is not available for smaller FortiGate devices that do not support a second device. Another option is to set up log forwarding in aggregation mode. Generally, your central (aggregating) device is going to be a larger FortiAnalyzer, but this is not a requirement. The collector sends a delta (incremental changes) of the logs to the aggregation server. The two devices compare what they have stored, and the collector sends only what the analyzer doesn’t have. This not only reduces the amount of traffic that is sent, but it also provides a level of redundancy. If there’s a catastrophic failure of the analyzer device, the collector sends all the data it has and repopulates the restored analyzer automatically. Aggregation mode is only supported between two FortiAnalyzer devices.
FortiAnalyzer Administrato 7.2 Study Guide
181
Logs and Reports Management
DO NOT REPRINT © FORTINET
Log forwarding can run in modes other than aggregation mode, which is only applicable between two FortiAnalyzer devices. FortiAnalyzer can also forward logs in real-time mode to a syslog server, a Common Event Format (CEF) server, or another FortiAnalyzer. The FortiAnalyzer that forwards logs to another plays the role of the client, while the recipient plays the role of the server. To configure log forwarding, you must complete the following: 1. Set the log forwarding mode: aggregation or forwarding. • Forwarding mode forwards logs as they are received. It does not forward content files (DLP, antivirus quarantine, and IPS). • Aggregation mode stores logs and content files and uploads them to the FortiAnalyzer server at a scheduled time. 2. Configure the server (the log recipient). 3. Configure the client (the FortiAnalyzer forwarding the logs). Here you can also specify which device logs to forward and set log filters to only send logs that match filter criteria. In addition to forwarding logs, the FortiAnalyzer client retains a local copy of the logs. The local copy of logs are subject to the data policy settings for archive logs on the FortiAnalyzer client.
FortiAnalyzer Administrato 7.2 Study Guide
182
Logs and Reports Management
DO NOT REPRINT © FORTINET
In the default configuration, there are two communication streams between FortiGate and FortiAnalyzer. One is the OFTP communication, which is encrypted, and the other is the log communication, which is not. OFTP is used over SSL when information is synchronized between FortiAnalyzer and FortiGate. OFTP listens on port TCP/514. Port UDP/514 is used for unencrypted log communication. The log communication between devices can be protected by encryption, with the desired encryption level, using the commands shown on the slide. SSL communications are auto-negotiated between FortiAnalyzer and FortiGate, so the OFTP server uses SSL-encrypted FTP, only if it is being used by the connecting FortiGate. By default, FortiGate uses the high encryption level and FortiAnalyzer uses the high encryption level. The FortiAnalyzer encryption level must be equal to, or less than, the FortiGate device.
FortiAnalyzer Administrato 7.2 Study Guide
183
Logs and Reports Management
DO NOT REPRINT © FORTINET
To prevent logs from being tampered with while in storage, you can add a log checksum using the config system global command. You can configure FortiAnalyzer to record a log file hash value, timestamp, and authentication code when the log is rolled and archived and when the log is uploaded (if that feature is enabled). This can also help against man-in-the-middle only for the transmission from FortiAnalyzer to an SSH File Transfer Protocol (SFTP) server during log upload. The following log checksums are available: • • •
md5: Record log file MD5 hash value only. md5-auth: Record log file MD5 hash value and authentication code. none: Do not record the log file checksum.
You can also change the OFTP certificate to a custom one using the config system certificate oftp command. You require a Privacy-Enhanced Mail (PEM) formatted certificate and associated PEM-formatted private key.
FortiAnalyzer Administrato 7.2 Study Guide
184
Logs and Reports Management
DO NOT REPRINT © FORTINET
Aside from increasing your disk log quota, what can you do to better manage your logs on disk? You can: • •
Specify a global log roll policy to roll or upload logs when the size exceeds a set threshold Specify a global automatic deletion policy for all log files, quarantined files, reports, and content archive files on FortiAnalyzer
FortiAnalyzer Administrato 7.2 Study Guide
185
Logs and Reports Management
DO NOT REPRINT © FORTINET
FortiAnalyzer Administrato 7.2 Study Guide
186
Logs and Reports Management
DO NOT REPRINT © FORTINET
Good job! You now understand how to manage your log data. Now you will learn about basic report concepts.
FortiAnalyzer Administrato 7.2 Study Guide
187
Logs and Reports Management
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in understanding report concepts, you will be able to use reports more effectively to extract collected log data from your database.
FortiAnalyzer Administrato 7.2 Study Guide
188
Logs and Reports Management
DO NOT REPRINT © FORTINET
The purpose of a report is to summarize large amounts of logged data. Based on configured report parameters, FortiAnalyzer extracts data and presents it in a graphical manner that makes it easier—and quicker—to digest. The patterns and trends that reports reveal already exist as several points of data within your database, but it would be difficult and time consuming to manually locate, cross-reference, and analyze multiple log files, especially if you don’t know what trend or pattern you are looking for. Once configured, reports do the investigation for you and provide a quick and detailed analysis of activity on your network. You can then use that information to better understand your network or improve your network security. Note that reports do not provide any recommendations or give any indication of problems. Administrators must be able to look beyond the data and charts to see what is happening within their network.
FortiAnalyzer Administrato 7.2 Study Guide
189
Logs and Reports Management
DO NOT REPRINT © FORTINET
A FortiAnalyzer report is a set of data organized in charts. Charts consist of two elements: • •
Datasets: Structured Query Language (SQL) SELECT queries that extract specific data from the database Format: how the data is displayed (for example, pie charts, bar charts, or tables)
FortiAnalyzer Administrato 7.2 Study Guide
190
Logs and Reports Management
DO NOT REPRINT © FORTINET
As the graphic on this slide shows, the SQL database contains all the logs. A SQL SELECT query polls the database for specific information. Based on the query, a subset of information stored in the logs is extracted. This subset of data populates a chart, and one or more charts exist within a report.
FortiAnalyzer Administrato 7.2 Study Guide
191
Logs and Reports Management
DO NOT REPRINT © FORTINET
When ADOMs are enabled, each ADOM has its own reports, libraries, and advanced settings. As such, make sure that you are in the correct ADOM before selecting a report. Additional reports for specific Fortinet devices are available only when ADOMs are enabled. You can configure and generate reports for these devices within their respective ADOMs. These devices also have device-specific charts and datasets.
FortiAnalyzer Administrato 7.2 Study Guide
192
Logs and Reports Management
DO NOT REPRINT © FORTINET
FortiAnalyzer Administrato 7.2 Study Guide
193
Logs and Reports Management
DO NOT REPRINT © FORTINET
Good job! You now understand the basic concepts of reports in FortiAnalyzer. Now you will learn how to mange reports.
FortiAnalyzer Administrato 7.2 Study Guide
194
Logs and Reports Management
DO NOT REPRINT © FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By demonstrating competence in report management, you will be able to handle, store, and more efficiently control reports and report generation.
FortiAnalyzer Administrato 7.2 Study Guide
195
Logs and Reports Management
DO NOT REPRINT © FORTINET
You can configure FortiAnalyzer to email generated reports to specific administrators, or to upload generated reports to a syslog server. This allows reports to exist externally, instead of remaining locally on FortiAnalyzer. In order to use any of these external storage methods, you must first set up the back end. This includes configuring a mail server (for emailed reports only) and an output profile. If ADOMs are enabled, each ADOM has its own output profiles. The output profile specifies the following: • • •
The format of the report, such as PDF, HTML, XML, CSV, and JSON Whether to email generated reports or upload to a server. You can specify one option, both, or create multiple outlook profiles. Server options include FTP, SFTP, and SCP. Whether to delete the report locally after uploading to the server
FortiAnalyzer Administrato 7.2 Study Guide
196
Logs and Reports Management
DO NOT REPRINT © FORTINET
When a report generates, the system builds the charts from precompiled SQL hard-cache data, known as hcache. If the hcache is not built when you run the report, the system must create the hcache first and then build the report. This adds time to the report generation. However, if no new logs are received for the reporting period, when you run the report a second time it is much faster because the hcache data is already precompiled. To boost the report performance and reduce report generation time, you can enable auto-cache in the settings of the report. In this case, the hcache is automatically updated when new logs come in and new log tables are generated. Note that hcache is automatically enabled for scheduled reports. If you are not scheduling a report, you may want to consider enabling hcache. This ensures reports are efficiently generated. However, be aware that this process uses system resources (especially for reports that require a long time to assemble datasets), so you should monitor your system to ensure it can handle it. Additionally, you can opt for enabling Extended Log Filtering to cache specific log fields for faster filtering.
FortiAnalyzer Administrato 7.2 Study Guide
197
Logs and Reports Management
DO NOT REPRINT © FORTINET
FortiAnalyzer Administrato 7.2 Study Guide
198
Logs and Reports Management
DO NOT REPRINT © FORTINET
Congratulations! You have completed this lesson. Now, you will review the objectives that you covered in this lesson.
FortiAnalyzer Administrato 7.2 Study Guide
199
Logs and Reports Management
DO NOT REPRINT © FORTINET
This slide shows the objectives that you covered in this lesson. By mastering the objectives covered in this lesson, you learned how to manage the log data and reports in FortiAnalyzer.
FortiAnalyzer Administrato 7.2 Study Guide
200
DO NOT REPRINT © FORTINET
No part of this publication may be reproduced in any form or by any means or used to make any derivative such as translation, transformation, or adaptation without permission from Fortinet Inc., as stipulated by the United States Copyright Act of 1976. Copyright© 2022 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.